Latest Posts

I am writing this post not to encourage privacy intrusion, hijacking, Facebook account hacking, or anything of that sort. I am writing this post to demonstrate just as how easy it is for almost anyone to break into your Facebook account (and other online services) using only an Android phone. This post also explains how you can essentially shield yourself from any form of intrusion attacks when online.

The controversial Android app is called Faceniff, a truly clever session hijacking app that allows you to sniff and intercept web session profiles over Wi-Fi network where your phone is connected to. Think of Faceniff as Firesheep, but for Android.

Faceniff uses the method called Session Hijacking, a good old process of exploiting valid web sessions, which enables attacker to gain unauthorized access to your account and private information. With Faceniff, you can intercept web sessions from web services such as FaceBook, Twitter, YouTube, Amazon, Tumblr, MySpace, and even Blogger. And worst, web sessions established via HTTPS can even be cracked. Alarming isn't it?

Well, the more disturbing part about it is that almost anyone with a "rooted" Android phone can do it, and even gradeschooler can dot it. Faceniff doesn't have a special requirement to run except that you have a "superadmin" privileges on your Android phone.

Faceniff Lets You Hack Facebook Accounts With Ease

I had the chance to install the app and see things in action on my phone. Below is a quick rundown on how I make Faceniff work, and browse through my friend's Facebook accounts without them knowing:

Step 2 Once installed, launch it. You should be prompted for a Superuser permission. Just hit "Allow" or "Yes" (depending on your phone).

Step 3 There are a couple of instruction that pops up especially if you open the app for the first time. Just follow them carefully...until you arrive into the start-up screen.

Step 4 Toggle "START" and optionally enable SSLStrip to start Faceniff. If valid web sessions found, it will be displayed like this:

Step 5 Click on any of those "hijacked" accounts. Android should then prompt you for a list of browsers currently installed on your device. In my case, I used Opera Mobile as I wasn't able to make it work with default browser, Skyfire and even Opera Mini. Just make sure to set "Mobile" as Opera Mobile's User Agent configurable in the Settings > Advanced menu.

And Voila...

If you constantly connect to a wireless public network like in cafes or malls, recognize that your communication online can anytime be sniffed by almost anyone. Wireless network is notably vulnerable to packet sniffing as the exchange of data is done wirelessly. This vulnerability gives bad guys the opportunity to steal information exchanged over the air.

So, how to stay safe online?

Whenever possible, don't connect to already congested public Wi-Fi network. Rather use the 3G/4G services offered by your ISP. And Virtual Private Network (VPN) applications would also help.